Secure wireless network: top tips for secure Wi-Fi

Don't let Wi-Fi provide hackers with a backdoor into your network

Most companies go to great lengths to keep unauthorised users off their networks, but Wi-Fi access points can provide hackers with a convenient way in. That's because Wi-Fi signals are often broadcast beyond the walls of the company and out into the streets - an enticing invitation for hackers.

Since many companies allow or even actively encourage employees to connect to the network using their own mobile devices - tablets and smartphones as well as laptops - it's not practical for most companies to switch off Wi-Fi access. Instead, here are five tips to make your wireless network more secure

1.Use WPA

Some Wi-Fi access points still offer the older WEP (Wired Equivalent Privacy) standard of protection, but it is fundamentally broken. That means that hackers can break in to a WEP-protected network using a hacking suite like Aircrack-ng in a matter of minutes.

So to keep out intruders, it's essential to use some variant of WPA (Wi-Fi Protected Access) protection, either WPA or the newer WPA2 standard.

For smaller companies it may be practical to use WPA with a pre-shared key. That means that all employees use the same password to connect, and network security depends on them not sharing the password with outsiders. It also means that the password should be changed every time an employee leaves the company.

Some Wi-Fi routers offer a feature called Wireless Protect Setup (WPS) which provided an easy way to connect devices to a WPA protected wireless network. However, this can be exploited by hackers to retrieve your WPA password, so it is important to disable WPS in the router's settings.

In larger organisations it makes more sense to use WPA in enterprise mode, which allows each user to have their own username and password to connect to the Wi-Fi network. This makes it much easier to manage when employees are leaving regularly, as you can simply disable ex-employees' accounts; but to use WPA in enterprise mode you have to run a server (known as a RADIUS server) which stores the login information for each employee.

2.Use a secure WPA password

Make sure that any password (or passphrase) that protects your Wi-Fi network is long and random so it can't be cracked by a determined hacker.

You can test the security of your WPA protected network (without revealing your password or passphrase) by using the CloudCracker service. You'll be asked to provide some data (the same data that a hacker could capture or "sniff" out of the air with a laptop from anywhere in range of your network) and the service will attempt to extract your password.

If the service is unsuccessful then a hacker is unlikely to be successful either. But if the service finds your password then you know that you need to choose a longer, more secure one.

3.Check for rogue Wi-Fi access points

Rogue access points present a huge security risk. These aren't your company's "official" Wi-Fi access points, but ones that have been brought in by employees (perhaps because they can't get a good Wi-Fi signal in their office,) or conceivably by hackers who have entered your building and surreptitiously connected one to an Ethernet point and hidden it.

In either case, rogue access points present a risk because you have no control over them or how they are configured: for example, one could be set up to broadcast your SSID (the 32 character identifier for a wireless network) and allow anyone to connect without providing a password.

To detect rogue access points you need to scan your offices and the area around it on a regular basis using a laptop of mobile device equipped with suitable software such as Vistumbler or airodump-ng. These programs allow the laptop to "sniff" the airwaves to detect any wireless traffic travelling to or from a rogue access point, and help you identify where they are located.